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Abstract 

We define a model for linear logic based on two well-known ingredients: games and 
simulations. This model is interesting in the following respect: while it is obvious 
that the objects interpreting formulas are games and that everything is developed 
with the intuition of interaction in mind, the notion of morphism is very different 
from traditional morphisms in games semantics. In particular, we make no use of 
the notion of strategy! The resulting structure is very different from what is usually 
found in categories of games. 

We start by defining several constructions on those games and show, using ele- 
mentary considerations, that they enjoy the appropriate algebraic properties mak- 
ing this category a denotational model for intuitionistic linear logic. An interesting 
point is that the tensor product corresponds to a strongly synchronous operation 
on games 

This category can also, using traditional translations, serve as a model for the 
simply typed A-calculus. We use some of the additional structure of the category to 
extend this to a model of the simply typed differential X-calculus of [1]. Once this is 
done, we go a little further by constructing a reflexive object in this category, thus 
getting a concrete non-trivial model for the untyped differential A-calculus. 

We then show, using a highly non-constructive principle, that this category is in 
fact a model for full classical linear logic ; and we finally have a brief look at the 
related notions of predicate transformers ([2]) and containers ([3]). 
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Introduction 



Transition systems and simulation relations are well known tools in computer 
science. More recent is the use of games to give models for different program- 
ming languages [^115] , or as an interesting tool for the study of other program- 
ming notions [6] . We devise a denotational model of linear logic based on those 
two ideas. Basically, a formula will be interpreted by an "alternating transi- 
tion system" (called an interaction system) and a proof will be interpreted 
by a safety property for this interaction system. Those concepts which were 
primarily developed to model imperative programming and interfaces turned 
out to give a rather interesting games model: a formula is interpreted by a 
game (the interaction systems), and a proof by a witness that a non- loosing 
strategy exists (the safety property). The notion of morphism corresponds to 
the notion of simulation relation, a particular case of safety properties. 

Part of the interest is that the notion of safety property is very simple. They 
are only subsets of states in which the first player can remain, whatever the 
second player does. In other words, from any state in the safety property, the 
first player has an infinite strategy which never leaves the safety property. This 
is to be contrasted with traditional notions where morphisms are functions 
(usually depending on some subset of the history) giving the strategy. 

The structure of safety properties is much richer than the structure of proofs. 
In particular, safety properties are closed under arbitrary unions. Since there 
is no notion of "sum" of proofs, this doesn't reflect a logical property. However, 
this is a feature rather than a bug: the differential A-calculus of Ehrhard and 
Regnier ([!]) is an extension of A-calculus with a notion of differentiation and 
non-deterministic sum. As we will show, interaction systems can interpret this 
extra structure quite naturally. 

Even better, this category enjoys such properties that we can, without much 
difficulty, construct a reflexive object allowing an interpretation of untyped 
differential A-calculus. This reflexive object is constructed using a fixpoint 
construction which is already available in the category Rel of sets and relations 
between them. 

The last thing we look at in this category is the object "_L" . As far as interac- 
tion is concerned, this is one of the most boring objects. However, it satisfies 
a very strong algebraic property: it is dualizing and we can thus interpret the 
whole of classical linear logic. This was rather unexpected and has a few sur- 
prising consequences (see corollary . The main reason for this is that the 
principle used to prove this fact (the contraposition of the axiom of choice) is 
relatively counter-intuitive. It is also the only part of this work where highly 
non-constructive principles are used, which explains why we separate this from 
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the rest. 



We conclude this paper by relating interaction systems with other notions, 
namely the notion of predicate transformers (p]) and the notion of containers 
([5]) and "dependent containers". 



1 Interaction Systems 

The definition of interaction system we are using was developed primarily 
by Peter Hancock and Anton Setzer. Their aim was to describe programming 
interfaces in dependent type theory ( [7f8] ). The ability to use dependent types 
makes it possible to add logical specifications to usual specification. The result 
is a notion of formal interface describing: 

• the way the programmer is allowed to use commands; 

• and the logical properties he can expect from those commands. 

In practice, it is usually the case that the logical specification is ensured a pos- 
teriori: a command might be legally used in a situation, even though the logical 
specification prevents it 

Because of their definition however, interaction systems can be interpreted in 
many different ways. In order to develop some intuitions, we prefer using a 
"games" interpretation: an interaction system describes the modalities of a 
two persons game. 

1.1 The Category of Interaction Systems 
Let's start with the raw definition: 

Definition 1 Let S be a set (of states^; an interaction system on S is given 
by the following data: 

• for each s & S, a set A{s) of possible actions; 

• for each a G A{s), a set D{s,a) of possible reactions to a; 

• for each d G -D(s, a), a new state n(s, a, d) G S . 

We usually write s[a/d\ instead of n{s,a,d). 

We use the letter w for an arbitrary interaction system, and implicitly name its 
components A, D and n. To resolve ambiguity, we sometimes use the notation 
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w.A, w.D and w.n to denote the components of interaction system w. The set 
of states is usually implicit, and we write it w.S . 

Following standard practice within computer science, we distinguish the two 
"characters" by calling them the Angel (choosing actions, hence the A) and 
the Demon (choosing reactions, hence the D). Depending on the authors' 
background, other names could be Player and Opponent, Eloise and Abelard, 
Alice and Bob, Master and Slave, Client and Server, System and Environment, 
alpha and beta, Arthur and Bertha, Left and Right etc. 



As stated above, one of the original goals for interaction systems was to rep- 
resent programming interfaces. Here is for example the interface of a stack of 
booleans: 



g — LjstfBV The set of states S represents the "virtual" 

' internal states of an implementation of stacks: 

lists (stacks) of booleans. 

A(\]) = {Push(6) IbeB} 

In a non-empty state, we can issue a "pop" or a 

A( \ _ (D,,„\^(h\ I h ^ "Rl I I JD^i^l "push(fe)" command, but if the state is empty, 
^l-J - if-^USni^OJ I fc ±5| U |KOp| „g ^.^^ Qj^iy jgg^g ^ p^5h command. 

J^f \ _ Jy^l^pl The responses are (in this case) trivial: we can 

^ ' ^ ^ only get an "Aknowledgment" . 

n( S PushffoD = b " S The next state is defined by cither adding a 

^ ' V // boolean in front of the list (push) or removing 



n{b :: s, Pop) = s 



the first element of the list (pop). 



What is still missing from this description is the "side-effects" part: it doesn't 
say anywhere that a "pop" command will return the first element of the statePI 
This is however much more precise than traditional interfaces which are usually 
given by a collection of types. Compare with this poor description of stacks: 

• Pop ■ B ^'-"^ ^'^y given stack, there are two commands: "Pop" and "push": the 

first one returns a boolean and the second one takes a single boolean 

• r USn . JJ > yj argument and "does something". 



Since we are aiming at a games semantics, we will rather use the following 
interpretation: 

• 5 is a set of states describing the possible states of a game; 

• for a state s E S, the set A{s) is the set of legal moves in state s; 

• for such a move a G A{s), the set D{s, a) is the set of countermoves to a; 

• finally, s[a/d] is just the new state of the game after a/d has been played. 



It is possible to devise interaction systems with such side-effects, but the theory 
of those is still to be developed. 
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Departing from the well established tradition of "morphisms as strategies", 
we use the following notion of "simulation relation" : 

Definition 2 Ifwi and W2 are two interaction systems on Si and S2 respec- 
tively; a relation r C Si x S2 is called a simulation if: 

(si,S2) Gr ^ (VaieAi(si)) 
(3a2 e ^2(52)) 
(Vrf2 e D2is2,a2)) 
{3di e Di{si,ai)) 

(si[ai/(ii], S2 [02/(^2]) G r . 

This definition is very similar to the usual definition of simulation relations 
between labeled transition systems, but adds one layer of quantifiers to deal 
with reactions. That (si,S2) G r means that "s2 simulates Si" . By extension, 
if a2 is a witness to the first existential quantifier, we say that "02 simulates ai" . 
Note that because the left hand side would be vacuous, the empty relation is 
always a simulation. 

It is illuminating to look at the usual "copycat strategy" with this in mind: a 
simulation is just a generalization of what happens there. Intuitively, a simu- 
lation from w to w' means that if the Angel knows how to play in w, she can 
simulate, move after move, a play in w'. (And vice and versa for the Demon.) 

To continue on the previous example, programming a stack interface amounts 
to implementing the stack commands using a lower level interface (arrays 
and pointer for examples). If we interpret the quantifiers constructively, this 
amounts to providing a (constructive) proof that a non-empty relation is a 
simulation from this lower level interaction system to stacks: for each of the 
stacks commands, we need to provide a witness command in the low level 
world in such a way as to guarantee simulation. (See [H] and [TU] for a more 
detailed description of programming in terms of interaction systems.) 

Recall that the composition of two relations is given by: 

{si, Ss) e r2 ■ ri ^ (3^2) (si,S2) e ri and (^2,53) e r2 

It should be obvious that the composition of two simulations is a simulation 
and that the equality relation is a simulation from any w to itself. Thus, we 
can put: 

Definition 3 We call Int the category of interaction systems with simula- 
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Hons. 



Note that this category is locally small but that, for any given set of states S", 
the collection of interaction systems on S forms a proper class. It is possible 
to restrict to "finitary" interaction systems: those for which the sets of actions 
and the sets of reactions are always finite. For our purposes, it is impossible 
to restrict to finite sets of states (see the definition of \w) or to countable 
actions/reactions sets (see the definition of wi 102). Subtler considerations 
show that it is however possible to restrict to sets of states of cardinalities 
and sets of actions of cardinalities 2*^° and sets of reactions of cardinalities Kq. 
(See the proof of proposition [551 for a hint.) 



We have the following "forgetful" functor from Int to Rel, the category of 
sets and relations between them: 

Lemma 4 The operation w ^ \w\ = w.S is a faithful functor from Int 
to Rel. Its action on morphisms is just the identity. 

This functor has a right adjoint S \—>- magic(5') and a left adjoint S t-^ abort(S') 

defined by (where {*} denotes a singleton set) 

mag\c{S).A{s) = {*} ahon{S).A{s) = 

mag\c{S).D{s,*) = abort(S).D(s, _) = _ 

mag\c{S).n{s,*, J) = _ abort(S').n(s, _, _) = 



In terms of games, magic means "the Demon resigns" (he cannot answer any 
move) while abort means "the Angel resigns" (she cannot play). 

This category enjoys a very strong algebraic property: 

Proposition 5 The category Int is enriched over complete sup-lattices. 

Note that enrichment over sup-lattice is stronger than enrichment over com- 
mutative monoids. 



PROOF. Proving that an arbitrary unions of simulations in Int{wi,W2) is 
still a simulation in Int{wi,W2) is trivial; as well as showing that the empty 
relation is always a simulation. 

It thus only remains to show that composition commutes with unions, on the 
right and on the left. Since this is true in Rel, it is also true in Int! 



□ 
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1.2 Notation 

Let's recall some traditional notation. 

• An element of the indexed cartesian product naeA-D(a) is given by a func- 
tion / taking any a G A to an /(a) in D{a). When the set D{a) doesn't 
depend on a, it amounts to a function f : A ^ D. 

• An element of the indexed disjoint sum J2aeA D{a) is given by a pair (a, d) 
where a e A and d e D{a). When the set D{a) doesn't depend on a, this is 
simply the cartesian product A x D. 

• We write List(S') for the set of "lists" over set S. A list is a tuple (si, S2, ■ ■ ■ Sn) 
of elements of S. The empty list is written (). 

• The collection M.f{S) of finite multisets over S is the quotient of List(5') 
by permutations. We write for the equivalence class contain- 
ing (si, . . . Sn). We use for the sum of multisets; it simply corresponds 
to concatenation on lists. 



1.3 Constructions 

We now define, at the level of interaction systems, the connectives of linear 
logic. With those, making Int into a denotational model of intuitionistic linear 
logic more or less amounts to showing that it is symmetric monoidal closed, 
has finite products and coproducts and has a well behaved comonad. 

1.3.1 Constants. 

A very simple, yet important interaction system is "/" , the interaction system 
without interaction. 

Definition 6 Define I to he the interaction system on the singleton set {*}; 



This interaction systems is also called "skip". 

This is the perfect example of "stable" or "constant" game: no knowledge is 
ever gained by any of the players. Since the interaction traces are ultimately 



Ai{*) 



{*} 

{*} 
{*} 
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constant, this is sometimes considered a terminating system: both sides have 
reached an agreement. 



One last interaction system of (theoretical) interest is given by the interaction 
system on the empty set of states: 

Definition 7 Define to be the unique interaction system on 0. 

This interaction system is even more boring than /: there are no states! From a 
practical point of view, this system doesn't even exist. The following is trivial: 

Lemma 8 In Int, the object is a zero object: it is both initial and terminal. 



1.3.2 Product and Coproduct 

Since the forgetful functor w h-* \w\ has a right adjoint, we know it commutes 
with colimits. As a result, we know that if the coproduct of Wi and W2 exists 
in Int, its set of states is isomorphic to the coproduct of Si and 5*2 in Rel. 
We thus define: 

Definition 9 Suppose wi andw2 are interaction systems on Si and S2. Define 
the interaction system wi © W2 on Si + 5*2 as follows\^ 



nini(Bw2{{hSi),a,d) = {i,Si[a/d\) 

In other words, the game Wi © W2 is simply a disjoint sum of wi and W2, and 
interaction takes place in only one of the games. Because we have no initial 
state, there is no need to specify who, among the Angel or the Demon, is 
making the choice of the game to use. With this in mind, lemma [TT] isn't very 
surprising. 

We have: 

Lemma 10 The operation _ © _ is the coproduct in Int. 



2 Recall that A + B = {l}xAu{2}xB. 



A, 



-UI10UI2 
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PROOF. We just "lift" the constructions from the category Rel: 



• injections: we put 



Int(ti?i, Wi © W2) 



and similarly for 12 G Int(w2, Wi © 102). 
• copairing: suppose ri G Int{wi,w) and r2 G Int(w2,w), define: 



[ri,r2] 



Int(ti)i © W2, tt;) 

{((1,^1),^)) 
U{((2,32),5)) 



G ri} 
(S2,s) G r2} 



Checking that those constructions yield simulations is direct. 

Commutativity of the appropriate diagrams as well as universality can be 
lifted from Rel... 



The next result is only surprising at first sight: the situation is similar in Rel. 
It will however to be quite important in the sequel since we cannot interpret 
the differential A-calculus without it. 

Lemma 11 /n Int, © is also the product. 



PROOF. This is a direct consequence of commutative monoid enrichment 
(proposition E]) H] 



When dealing with linear logic, we use the usual symbol & when it denotes a 
conjunction... 



^ This is well known for abelian categories (see [IJJ, chap. 8]), but the existence of 
inverses is irrelevant. 



□ 



□ 
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1.3.3 Synchronous Product. 

There is an obvious tensor construction reminiscent of the synchronous prod- 
uct found in SCCS (synchronous calculus of communicating systems, pL2j): 

Definition 12 Suppose wi and W2 are interaction systems on Si and S2. 
Define the interaction system Wi (S> W2 on Si x S2 as follows: 

Au,i(S)W2{{si, S2)) = Ai(si) X ^2(52) 

-D^iCEDua ( ("Si, S2), (01,02)) = Di{si,ai) X D2{s2,a2) 

nwi(x,w2{{si,S2),{ai,a2),{di,d2)) = (si[ai/(ii], S2 [02/(^2] ) ■ 

This is a kind of lock-step synchronous parallel composition of wi and W2'- the 
Angel and the Demon exchange pairs of actions/reactions. In terms of games, 
the players simply play two games in parallel at the same pace. 

For any sensible notion of morphism, / should be a neutral element for this 
product. It is indeed the case, for the following reason: the components of w®/ 
and w are isomorphic by dropping the second (trivial) coordinate: 

w <^ I w 



This implies trivially that {((s,*),s) | s G 5} is an isomorphism. For similar 
reasons, this product is transitive and commutative. 

Lemma 13 _ ® _ zs a commutative tensor product in the category Int. Its 
action on morphisms is given by: 



S X {*} 
A{{s,*)) 
D((s,*),(a,*)) 
n{{s,*), (a,*), (d,*)) 



A{s) X {*} 
D{s,a) X {*} 
{s[a/d],*) 



A{s) 
D{s, a) 
s[a/c[\ 



S 




(si, S2) G r 
and {s[, S2) G r' 



Checking that r (S> r' is a simulation is easy. 
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The notion of "componentwise" isomorphism is too fine for most purposes and 
the notion of isomorphism inherited from simulations is coarser. In particular, 
it is easy to find examples of isomorphic interaction systems in Int where the 
actions/reactions sets are not isomorphic. For example, if w is an interaction 
system, let Eg be a choice function from V*{A{s)), the collection of non-empty 
subsets of A{s) to A{s); and define w with 

. A{s)=V*{A{s)y, 

. D{s,U) = D{s,Ss{U)y, 

• n{s,U,d) — n{s,es{U),d). 

The systems w and id are isomorphic, but the sets A{s) and A{s) have different 
cardinalities. 

1.3.4 Linear Arrow. 

Any category with a zero object cannot be cartesian closed. We thus cannot 
hope to model the simply typed A-calculus inside Int. One of the points of 
linear logic is precisely to give logical status to a simpler kind of structure: 
linear implication. We do not require our denotational model to be cartesian 
closed but only symmetric monoidal closed w.r.t. to a tensor which is generally 
not the cartesian product. This is the case for Int, but the definition of the 
functor _ — o _ is a little more involved: 

Definition 14 If Wi and W2 are interaction systems on Si and S2, define the 
interaction system Wi —o W2 on Si x 5*2 as follows: 

A^{{si,S2)) = E n D2{s2j{ai))^Di{si,ai) 

/eAi(si)^A2(52) aieAi(si) 

D^{{si,S2),{f,G)) = E D2{s2,f{ai)) 

aieAi(si) 

n^((si,S2),(/,G'), (01,^2)) = {si[ai/Ga^{d2)], S2[f{ai)/d2\) . 

It may seem difficult to get some intuition about this interaction system; but 
it is a posteriori quite natural. Let's unfold this definition with simulations in 
mind: 

• An action in state (si, S2) is given by a pair consisting of: 

(1) a function / (the index for the element of the disjoint sum) translating 
actions from si into actions from 82] 

(2) for any action oi, a function Ga^ translating reactions to /(oi) into reac- 
tions to ai. 

• A reaction to such a "one step translating mechanism" is given by: 
(2) an action oi in Ai{si) (which we want to simulate); 
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(1) and a reaction ^2 in I?2(s2, /(oi)) (which we want to translate back). 
• Given such a reaction, we can simulate ni by a2 = /(oi) G ^2(52); and 
translate back ^2 into di = Gai('^2) G ^i(si,ai). The next state is just the 
pair of states Si[ai/(ii] and S2[fl2/'^2]- 

In essence, the Angel translates what the Demon gives her. 

This connective is indeed a "linear arrow" : 

Proposition 15 In Int, _®_ Z5 left adjoint to _— o_.- there is an isomorphism 
Int(wi ® W2 , W3) ~ Int(wi , W2 ^ -^3) , 



natural in Wi, W2 and W3 



PROOF. The proof is not really difficult. First notice that the axiom of 
choice can be written as 

AC : (Va e A){3d e D{a)) ip{a, d) 

(3/ena6Ai^(a))(Vae A) ^{a,f{a)). 



When the domain D{a) for the existential quantifier doesn't depend on a e 
we can simplify it into: 

AC: (Va e A)(3de D) <^(a,c^) 

(3/e^^D)(Vae^) (^(a,/(a)). 



We will use AC to shuffle quantifiers and complexify the domains of quantifi- 
cation. This will transform the condition defining a simulation from Wi ® W2 
to into the condition defining a simulation from wi to W2^w^. 
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In the sequel, the part of the formula being manipulated will be written in 
bold. That r is a simulation from Wi ® W2 to W3 takes the form0 

{si, S2, S3) er ^ (Vai e Ai(si))(Va2 G ^2(52)) 
(Bas e Asiss)) 

{3di e Di{si,ai)){3d2 E £'2(52,02)) 
(si[ai/(ii], S2 [02/(^2], S3 [03/4]) er . 

Using AC on \fa23a-s, we obtain: 

(si, S2, S3) er ^ (Vai e Ai{si)) 

(3/ G ^2(^2) ^ ^3(53)) 
(Va2 G A2(s2))(Vd3 G r>3(s3,/(a2))) 
(3rfi G Di(si,ai))(3d2 e i:>2(s2,a2)) 
(si[ai/(ii],S2[a2/d2],S3[/(a2)M]) Gr . 

We can now apply AC on Wd33d2. 

(si, S2, S3) G r ^ (Vai G Ai(si)) 

(3/ G A2(S2) ^ A3(S3)) 

(Vaa G ^2(52)) 

{W3eD3is3,f{a2))) 
(3rfi G L>i(si,di)) 

(si[ai/rfi], S2[a2/fli(rf3)], S3[/(a2)/rf3]) G r 



modulo associativity (S*! x S2) x ^3 ~ 5i x (^2 x ^3) ~ 5i x ^2 x S3. 
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and apply AC one more time on 'ia2^g to obtain: 



(si, S2, S3) e r ^ (Vai G Ai(si)) 



(3/GA2(s2)^A3(s3)) 

(3^ G riaaeAaCs^) ^3(^3, f {^2)) ^ ^2(^2, 02)) 

(Va2G A2(s2))(Vrf3eD3(s3,/(a2))) 

(si[ai/(ii], S2[a2/G'a2(4)], S3[/(a2)/4]) e r 



By definition, this means that r is a simulation from Wi to W2 ^ Wa- 
Naturality is trivial: it corresponds to naturality of associativity in Rel. □ 

In particular, proposition [TS] implies that 
Int(wi,W2) — Int(/, Wi — <3 . 

We call a simulation from J to w a safety property for w. 
Lemma 16 (with Def.) A subset x ^ S is a simulation from I to w ij^ 
sex (3a G A{s)){\/d G D{s,a)) s[a/d] G x . 

We write S{w) for the collection of such subsets, and we call such an x a 
safety property for w. 



which is equivalent to 



(si,S2,S3) G r ^ (Vai G Ai(si)) 




(V(a2,(i3) e EA2(s2)^3(s3,/(a2))) 

(3di G L>i(si,di)) 

(Si[ai/rfi],S2[a2/G'a2(rf3)],-53[/(a2)/rf3]) G r . 



5 This is well defined since V{{*}xS) ~ V{S). 
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Finally, we have 



Int(wi,W2) = 5(^1-0^2). 

The analogy with traditional notions of morphisms as strategies is rather 
subtle. A safety property x satisfies the property 

if interaction is started from a state in x, then the Angel has a move that 
guarantees that the next state will also be in x (provided the Demon does 
answer). 

This is a safety property in the sense that it guarantees that "nothing bad 
happens". (As opposed to liveness properties, which ensure that "something 
good happens"...) In particular, this means that the Angel has an infinite 
strategy from any state in x: she can always find a move to play. The choice of 
those moves is irrelevant to the notion of safety property: we only know they 
exist. In particular, such a move needs not be unique. 

As special case, let's look at the definition of linear negation. The orthogo- 
nal vj-^ of w is defined as usual as the interaction system w —o _L. For intu- 
itionistic linear logic, any object can formally be used as _L, but anticipating 
on proposition [331 we use ± = J. We have: 

AHis,*)) = E n {*}^D{s,a) 

/GA(s)^{*} aeA(s) 

DHis,*),if,G)) = E {*} 

a€A[s) 

n^((s,*),(/,G),(a,*)) = (.[a/G,, (*)],*) 

which, after simplification, is equivalent to 

A^s) = n D{s,a) 

D^sJ) = A{s) 
n^{sj,a) = s[a/f{a)] . 

One important point to notice is that with this definition, the set of states 
of is the same as the set of states of w. In particular, the canonical mor- 
phism in Int(w, w-*-*-) will be given by the equality relation. 

The definition looks complex but can be interpreted in a very traditional way: 
negation interchanges the two players. In our context, it is not possible to 
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simply interchange actions and reactions since reactions depend on a particular 
action. We have to do the following: 



• an action in A-^{s) is a conditional reaction; or a one move strategy to react 
to any action; 

• a reaction in D^{s, f) is just an action in w; 

• the new state after "action" / and "reaction" a is just the state obtained 
after playing a followed by f{a). 

The "polarities" of moves and coutermoves is interchanged, and it does swap 
the players in the sense that it transforms Angel strategies into Demon strate- 
gies and vice and versa. (See [10] for more details.) 

The dual enjoys a surprising property: the set of possible reactions to a 
particular action doesn't depend on the particular action! 



1.3.5 Multithreading. 

We now come to the last connective needed to interpret intuitionistic linear 
logic. Its computational interpretation is related to the notion of multithread- 
ing, i.e. the possibility to run several instances of a program in parallel. In our 
case, it corresponds to the ability to play several synchronous instances of the 
same game in parallel. Let's start by defining synchronous multithreading in 
the most obvious way: 

Definition 17 If w is an interaction system on S, define L{w), the multi- 
threaded version of w to be the interaction system on List(S') with: 



L.n{{si, . . . ,Sn),{ai, . . . ,an),{di, . . . ,dn)) = {si[ai/di], . . . , Sn[an/dn]) ■ 



This interaction system is just the sum of all "n-ary" versions of the syn- 
chronous product. 

Lemma 18 The operator w n-^ £^{ui) can be extended to a functor from Int 
to Int. 

To get the abstract properties we want, we need to quotient multithreading 
by permutations. Just like multisets are lists modulo permutations, so is Iw 
the multithreaded L(w) modulo permutations. This definition is possible be- 



i.A((si,..., 
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cause L{w) is "compatible" with permutations: if cr is a permutation, we have 
(7 • ((si, . . .s„)[(ai, . ..an)/{di, . ..dn)]) 

(fj • (Si, . . .S„))[(7 • (ai, . ..an) /(J • (rfi, . ..dn)\ . 

The final definition is: 

Definition 19 Ifw is an interaction system on S, define \w to he the follow- 
ing interaction system on Aif{S): 

\D{n,{s,a)) = L.D{s,a) 
\n{iJ,,{s,a),d) = [L.n{s,a,d)] . 

(Note that as an element of n, s is just a specific order for the element of ji.) 
Unfolded, it gives: 

• an action in state ji is given by an element s (a list) of ^ (a multiset, i.e. an 
equivalence class) together with an element a in h.A{s) (a list of actions); 

• a reaction is given by a list of reactions d in L.D(s, a); 

• the next state is the equivalence class containing the list s[a/d] (the orbit 
of s\a/(J\ under the action of the group of permutations). 

Lemma 20 This operation w ^ \w can he extended to a functor from Int 
to Int. Moreover, we have the following hisimulation (which is not an isomor- 
phism) 

L{w) ^ \w (1) 

where a is just memhership of a list in a multiset (equivalence class of lists) 
and p its converse. 

This operation enjoys a very strong algebraic property: 

Proposition 21 Iw is the free ®-comonoid generated hy w. 

Note that because \w "is" ^ ^^^w®'^ /<&rn this is not very surprising. 
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PROOF. Quite a lot can be deduced from the same property of Rel, but we 
will look at some details. 

Let's start by looking at the 0-comonoid structure of Iw. the counit and 
comultiplication are given by 

e G Int(!w,/) and m G lnt{\w,lw ® \w) 

= {([],*)} = {{f^ + iy,{fi,iy)) I fi,ueMf{S)} 



We need to show that for any interaction system w and ®-comonoid Wc, there 
is a natural isomorphism 

CoMon(Int, (8))(wc, I""^) — Int{wc^w) . 



Going from left to right is easy: 

CoMon(Int, Cg))(u'c, lnt{wc,w) 

r f-^ {(sc, s) I (Sc, [s]) G r} . 



Checking that this operation is well-defined (it sends a comonoid morphism 
to a simulation) is direct. 

The other direction is more interesting. Let Wc be a commutative comonoid. 
This means we are given Cc G Int(wc, /) and rric G Int(ti?c, Wc®w^, satisfying 
additional commutativity and associativity conditions. 

Suppose r is a simulation from Wc to w. This is a relation with no condition 
about the comonoid structure of w^- We construct a relation from Wc to \w in 
the following way: 

• we start by extending comultiplication to rfic : Int(wc, L(ti?c)); 

• we then compose that with L(r) : Int(L(wc), L(t(;)); 

• and finally compose that with a : Int{L{w), Iw), see ([1]) in lemma [201 

We then check that this simulation respects the comonoid structures of Wc 
and Iw. 
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Define rric Q Sc x List(5'c) by the following clauses: (inductive definition) 

(s, 0) ewic iff s e Cc 

{s, s') e rfic iff s — s' 

{s,{si, . . . ,Sn)) emc iff {s,{si,s')) e rric A{s',{s2, . . . ,Sn)) emc 

for some s' e Sc ■ 



Using the fact that Cc and rric are simulations, we can easily show (by induc- 
tion) that Trie is a simulation from Wc to L(^Wc). 

Moreover, we have: 

(Sc; (Sc,!; • • • ) "Scjn+m)) ^ 

(2) 

{3sl, si e 5c) (sc, {si, sD) erricA (sj, (sc,i, ■ ■ ■ , Sc,n)) G 

^ ('^C ('5c,n+l) ■ ■ ■ ) 'Sc,n+m)) ^ 

by transitivity and 

^ (3) 

{Sci (^c,l) ■ ■ ■ ) ^c,i+l) ^c,j) ■ ■ ■ ) ^c,n)) £ 



by commutativity. 

We know that r = a- L(r) -rfic is a simulation from Wc to Iw. We need to check 
that this simulation respects the comonoid structures of Wc and \w, i.e. that 
both 

c 

Wc Wc (8) tfc 

r (8) r 

>- \w (8) !w 

rric 

are commutative. The first diagram is easily shown to be commutative. For the 
second one: suppose {sc, [si, . . . , [s„+i, . . . , s„+m]) £ "^-r. This is equivalent 
to saying that there are Sc,i, ■ ■ ■ , Sc,n+m in Sc s.t. 

• (-Sci, Si) G r for alH = 1, . . . , n + m 



Wr 



and 



iw 
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• and (sc, (sc,i, . . . , Sc,n+m)) e rric. 

That (sc, [si, . . . , s„], [s„+i, . . . , is in f f ■ c means that there are 

and si in S'c s.t. 

• and {si, [si, Sn]) e r and (s^, [s„+i, . . . , Sn+m]) e r, 

z.e. there are si and in Sc, and Sc,i, . . . , Sc,„, Sc,n+i, • • • , Sc,n+m in S'c s.t. 

• {sc, {sisD) G rric 

• (^c, (sc,i, • • • , Sc,n)) e mc 

• and (sj, Sc,i) G r for alH = 1, . . . , n + m. 

By using ([2]) and (j3]), it is trivial to show that the two conditions are equivalent. 
This proves that the second diagram is commutative. 

It only remains to show that the two operations defined are inverse of each 
other. This is not difficult. □ 



2 Interpreting Linear Logic 

We now have all the necessary ingredients to construct a denotational model 
for intuitionistic linear logic. The details of categorical models for linear logic 
are quite intricate, and there are several notions, not all of which are equiva- 
lent. We refer to the survey [13] and the references given there. 

In the case of Int, the situation is however quite simple: proposition [2T] 
makes Int into a "Lafont category" (see [Ti]). 

Corollary 22 With the construction defined in the previous sections, Int is 
a Lafont category. In particular, is a comonad; and we have for any wi 
and W2, we have the following natural isomorphism: 

Recall that since the product and coproduct coincide, & is the same as ©. 

A direct proof of the fundamental isomorphism is easy: there is a "componen- 
twise" isomorphism between the interaction systems !(wi&W2) and lwi®lw2- 

Lafont categories were used to give a semantics to linear logic and were latter 
subsumed by Seely categories and linear categories. 
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It is thus possible to give a semantics to formulas and proofs in the usual way. 
We write F for the interpretation of a formula F (no confusion arises) and |7r] 
for the interpretation of a proof vr. 



Proposition 23 For all proof vri and 1x2 of the same sequent, if tti and 7T2 

have the same cut-free normal form, then [vri] = [712]. 

Moreover, since the interpretation is done using canonical morphisms, which 
are just lifting of the same morphisms in Rel, the interpretation of a proof is 
the same as its relational interpretation^ 

Proposition 24 For any proof n of a sequent T \- F, the relational interpre- 
tation [tt] of tt is a simulation from 0r to F. (This holds for any valuation 
of the propositional variables.) 



The presence of propositional variables is crucial because without them, the 
model becomes trivial: 

Proposition 25 Suppose F is a formula without propositional variables; then 
its interpretation is trivial : any subset of its set of states is a safety property. 

More precisely, we have 

• Af{s) = {*} (singleton set) ; 

• Df{s,*) = {*} (singleton set) ; 

• np{s, *, *) = s. 

The proof is a trivial induction on the formula. 

This model is thus only appropriate when interpreting flj logic, i.e. proposi- 
tional linear logic. There, it has a real discriminating power. The model can 
even be extended to deal with full second order, with the usual proviso: the 
interpretation may decrease (in some very special cases) during elimination of 
a second order cut. For more details, see [101 chap. 8]\]j 



^ the relational interpretation is folklore, at least in Marseille and Paris, but it is 
surprisingly difficult to find an early reference to it. For those who want to see the 
concrete definition of the interpretation, we refer to of [151 app. 4]. 
^ There, the equivalent notion of predicate transformers rather than interaction 
systems is used, but as we will show in section WA] the two categories are equivalent. 
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3 Interpreting the Differential A-calculus 



So far, proposition \5\ liasn't been used, except to deduce tlie existence of a 
product. Tlie problem is tliat tliis proposition doesn't reflect a property of 
proofs. Tlie reason is that 

• not every formula has a proof; 

• we do not see a priori how to sum proofs of a single formula. 

Ehrhard and Regnier's differential X-calculus (fl]) extends the A-calculus by 
adding a notion of differentiation of A-terms. One consequence is that we need 
a notion of sum of terms, interpreted as a non-deterministic choice. It is also 
possible to only add sums (and coefficients) to the usual A-calculus as in 



It is not the right place to go into the details of the differential A-calculus 
and we refer to for motivations and a complete description. A complete 
definition can also be found in the Appendix on page | 

In the typed case, we have the following typing rules: 

r h t : r r h M : r 



and 

rhO:r T^t + u-.T 

r \- t : T a r \- u : T 

2 . 

^ ^ ThBt-u-.T 



The intuitive meaning is that "D t ■ u" is the result of (non-deterministically) 
replacing exactly one occurrence of the first variable of t by u. We thus obtain a 
sum of terms, depending on which occurrence was replaced. This gives a notion 
of differential substitution (or linear substitution) which yields a differential- 
reduction. The rules governing this reduction are more complex than usual 
/^-reduction rules; we refer to [T] or the Appendix. 

Besides the natural commutativity and associativity of addition, differential 
A-terms are also quotiented modulo the following equivalence relations: 

• = {0)u = Xx.O = D ■ t = Dt ■ 0; 

• {ti + t2) u = {ti)u + {t2)u; 

• Ax.(ti + ^2) = Ax.ti + \x.t2; 

• B{ti +t2) -u = Dti ■ u + Dt2-M; 

• Dt ■ {ui + U2) = T)t ■ ui + Dt-U2; 

• D(Dt -m) ■v = D(Dt-v) -u. 

The last one is probably the most important one as it allows to link the notion 
of differentiation to the traditional, analytic notion of differentiation. Note 
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that even if the first five rules can be oriented from left to right, a quotient 
is inevitable because of the sixth rule and the commutativity of addition. 
This quotient is natural because none of those rules carries any computational 
content. 



Interpreting usual (without "D", "+" nor "0") A-terms can be done using 
the well-known translation of the simply typed A-calculus into intuitionistic 
linear logic with propositional variables. Just replace an atomic type by a 
propositional variable and the type r — a by !r — o a inductively. That the 
resulting interpretation is sound follows directly from the fact that Int is a 
Lafont category. (In any model for linear logic, the co-Kleisli category of !_ is 
cartesian closed.) 

The general notion of categorical model for the differential A-calculus (or dif- 
ferential proof nets, or "differential linear logic") is only beginning to emerge. 
The main paper on the subject is [l7j, where the categorical notion of "dif- 
ferentiation combinator" is studied in details. No real soundness theorem is 
however proved there because the authors work in a more general setting: the 
base category is not necessarily monoidal closed, i.e. the co-Kleisli category is 
not necessarily cartesian closed. 

The notion of differential category is well-suited for our purposes, and we will 
show that the category Int is indeed a differential category. Together with 
the fact that Int is a Lafont category, it allows to deduce that we do get a 
categorical model for the differential A-calculus. 

Definition 26 If C is a symmetric monoidal category with a coalgebra modal- 
ity l_, we call a natural transformation dx '■ X ® IX IX a deriving trans- 
formation in case the following hold: 

dxex = 

dxA = (l®A)(rfx®l) + (1 ® A) (c® 1) (1 ® rfx) 

dx ex = (1 ® e) ux 

dx6 = {1 ® A) {dx ® S)d,x 



where 

- ex '■ ^-X I and Ax : IX ^ \X ^ IX are the operations of the coalgebra IX ; 

- c:Ai^B^B(^Ais the symmetry and ux : X ® I ^ X is the unit; 
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- Sx ■ ^-X ^ UX and ex ■ ^-X ^ X come from the usual comonad lawsl^ 
In our case, we can lift dx from the relational model: 

Lemma 27 (and definition) For any interaction system w on S , the rela- 
tion dyj defined by 

dw = |(('S0) [-Sl, • • • , Sn]), [Sq, Si, ... , Snfj \ Sq, . . . , Sn E 

is a deriving transformation. 



PROOF. Because it is already shown in |T7| that this relation is indeed a 
deriving transformation in Rel, is suffices to show that d^, is a simulation 
from w ® Iw to Iw. This is immediate. 

□ 



We can now extend the interpretation to differential A-terms: 

• the additive structure (0 and +) is directly interpreted by the monoid struc- 
ture (0 and U); 

• the differential structure is interpreted in the only sensible way: suppose we 
have r h t : r ^ 0" and F h m : r; by induction, we have [t] G Int(!r, !r-^cr) 
and {uj G Int(!r, r). We can define a morphism in Int(!r^cr, (r® !r) ^cr): 

1 G Int(!r ^ a , !r ^ cr) 

^ 1 G Int((!r^o-) ® !r , a) 

=^ T(l®(i^) G Int((!r ^ 0-) (g) r (g) !r , cr) 

<^ T(l(g)d^) G Int(!r^(T, (r (g) !r) ^ a) 

We write D for this morphism. This is an internal version of the differential 
combinator from [T71 def. 2.3]. From this, we get 

D|t] G Int(!r , (r® !r) ^a) 
^ Dp] G Int(!r®r, W ^ a) 



^ The applications of the isomorphism a : {A(^ B) <^C ^ (B (^C) are omitted 
for readabiUty. 
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which we'll call [Dt]. We can now compose interpretations as in: 

!i > !i ® !i > !i r > !r — o cr 

This morphism in Int(!r , !r ^ a) is the interpretation of Dt ■ m. 

Spelled out concretely in the case of Rel or Int, the inductive definition looks 
like: 

(7,/i,s') elDt-uj 

(71, fi+[s], s') e |t] for some (72, s) G {uj s.t. 7 = 71 + 72 



That the interpretation is sound follows rather directly from the properties of 
a deriving transformation, see [T7j for some of the missing details: 

Lemma 28 For all differential X-terms and valuations 7, we have 

• IOl = I(OH = lAx.Ol = |DO.t] = lDt.O]; 

• I(ti + t2)^^l = Kti)u + (t2H; 

• lXx.{ti+t2)] = lXx.ti + Xx.t2}; 

• lB{ti + t2)-uj = lDti-u + I)t2-u]; 

• [Dt- (M1 + M2)] = |Dt-Mi + Dt-Mal; 

• [D(Dt-M) -f] = |D(Dt -f) ■«]. 

We finally obtain the desired result: 

Proposition 29 Suppose that T \- t : a where T is a context and t a differen- 
tial X-term. The relation |t] is a simulation relation from IT to cr. Moreover, 
for all t and u we have: 

[{Xx.t)u\ = lt[u/x]] 
iD(Ax.t) ■ uj = iXx . (dt/dx) ■ u] 



PROOF. That we obtain a simulation is true by construction. 

Invariance under /3-reduction follows from the correctness of the interpretation 
of A-calculus in a cartesian-closed category. 

Invariance under linear substitution seems to follow from general considera- 
tions about deriving transformation in linear categories, even if this is not 
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treated in [T7]. (In our case, a direct verification is possible, but long and 
tedious...) 

□ 



4 Untyped Calculus 

Interpreting untyped A-calculus remained an open question for quite a long 
time: since the cardinality of a function space is strictly bigger than the cardi- 
nality of the original set, it seemed difficult to get a model where any A-term 
can be either an argument or a function. Dana Scott finally found a model by 
constructing a special object in the category of domains. 

The solution is quite elegant: to interpret untyped A-terms in a cartesian 
closed category, one "just" needs to find a refiexive object in a cartesian closed 
category, i.e. sua object X with a retraction / projection pair [X — > X] < X. 

We have at our disposal a cartesian closed category: the Kleisli category over 
the comonad !_. Were we to find a refiexive object W in this category, we 
could model the untyped differential A-calculus in the A-model S(W). We now 
show how to construct such a refiexive object, in a fairly straightforward way. 

We start with a non-trivial interaction system w on a set of states S (natural 
numbers for example) and then define an interaction system W, satisfying the 
equation 14^ ~ w © (IVT ^ W) as follows: 

(1) the set of states Sw is defined as the least fixpoint of X i-^ S+M.f{X)xX; 
in a more "programming" fashion" 

Sw = data Leaf(s G S) 

I Node(/i G Mf{Sw) , u G Sw) 

(2) the possible actions in a given state are defined by induction on the state: 
using "pattern matching" , we have 

v4vF(Leaf(s)) = A{s) 
v4H^(Node(/i,u)) = {\Aw -° Aw){{ii,u)) 

(3) reactions are defined similarly as 

Diy(Leaf(s), a) = D{s,a) 
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(4) and finally, the next state function is defined as 
?7,vK(Leaf(s), a, (i) = Leaf {s[a / d]) 

Due to the presence of multisets, an actual implementation of in a depen- 
dently typed functional programming language would be a little more complex: 
we would need to work with lists rather than multisets, and reason modulo 
shuffling concretely. 

Lemma 30 The relation r between S + {A4f{Sw) x Sw) Sw defined by 

Leaf(s)) G r 

((2,(^,m)), Node(/i,u)) e r 

is an isomorphism (in Int ) from w (B {IW —o W) to W . 

The proof is direct. (This is an instance of a strong, "componentwise" isomor- 
phism.) 

Corollary 31 In the l_-Kleisli category of Int, which is cartesian closed, there 
is a retract < W. 



PROOF. First, notice that it is sufflcient to find a retract in the category Int: 
any morphism in a category can also be seen as a morphism in a Kleisli cate- 
gory (in a way which is compatible with composition in the Kleisli category). 

There is the canonical injection 12 from IW W to w (B {IW—oW). Now, in 
the category Int, we have that product and coproduct coincide; in particular, 
we have the projection 112 from w & (IW-^W) = w ® (IW-oW) to IW ^W. 
Moreover, by definition, we have 712 ■ i2 = \d\w^w- 

We can now prove that r-Z2 / 772 ■r~ is a retraction / projection from 

to W\2\ it follows from the previous remark that 112 ■ i2 = Id and that is 

the inverse of r. (Recall that r is an isomorphism.) □ 

From there, constructing a model for the untyped A-calculus is standard. We 
refer to [TH]. We obtain in this way a model where each term is interpreted by 
a safety property for W. 

^ The converse r~ of a relation is defined as {s2, si) E iff (si, S2) S r. 
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Since S(W) is a complete sup-lattice, we can also model sums, and by the very- 
same construction defined in section [3l model differentiation. (Remark that 
the interpretation of a term is not really by induction on the type inference, 
but directly by induction on the term: we can thus apply it to untyped terms 
as well.) 

The interpretation becomes: if t is a differential A-term with its free variables 
among xi, . . . , Xn, we interpret t by a subset of M.f{Sw) x ■ ■ ■ x A4f{Sw) x Sw- 
In the sequel, 7 is a tuple in J^f{Sw) x ■ ■ ■ x J\4f{Sw) and we use 7(x) for 
the projection on the appropriate coordinate. 

• |x] = {(7, s)} where 7(x) = [s] and 7(7/) = [] otherwise 



Proposition 32 For any closed differential X-term t, we have that {t} is a 
safety property for W . 

We have thus, in effect, constructed a non-trivial (in the sense that not all 
subsets of Sw are safety properties) denotational model for the untyped dif- 
ferential A-calculus. This is particularly interesting because the original model 
for differential A-calculus (finiteness spaces) did not have a reflexive object: 
they could not interpret fixpoint combinators (see |15j). 



5 Classical Linear Logic 

If one has in mind the definition of negation (see page USD, the next result can 
look quite surprising: interaction systems can interpret classical linear logic. 
In other words, for any interaction system w, we have w ~ vj-^-^. The reason 
behind that is that our notion of morphism is not the notion of "component- 
wise" morphism. Even though the actions/reactions in w^^ are very complex 
sets, the way they interact with states remains relatively simple. 



. |Ax.t] = {(7,(/i,s))|(7.:=^,s)GM} 

(70, Node(/i, s)) G |t] for some 
• (7, s) G l{t)uj iff s.t. (7,, s,) G M for 2 = 1, . . . , n 
^ and 7 = 7o + 7i + • • • + 7n; 



[^1 




• 101 = 0; 




7i + 72- 
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The reason we haven't shown this result in section [2] is that the principle at 
work is highly non-constructive and that natural generalizations of interaction 
systems are unlikely to satisfy it. 



Recall that any object can be used to represent _L in the intuitionistic case. 
However, in or case, the object / plays a very special role. For ± = /, we have: 

Proposition 33 In Int, for any interaction system w, the identity relation 
is an isomorphism between w and w^-^. 

Equivalently , the object _L is dualizing in Int. 



PROOF. The principle at stake in the proof is the contrapositive of the 
axiom of choice: 



When the domain D{a) for the universal quantifier doesn't depend on a & A, 
we can simplify it into: 



CtrAC : (3a G A)(Wd G D{a)) y?(a, d) 



CtrAC : (3a G A)(yd G D) ^(a, d) 



(Wf eA^D){3aeA) ^{a,f{a)) 



Here are the components of w 





n D{s,a) 



aeA(s) 




s,F,g) 



s[F{g)/g{F{g))] . 
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That equahty is 



a simulation from w to w takes the form: 



(Vs e S) 



(WF e A^^{s)){3a e A{s)) 
{^deD{s,a)){3geD^^{s,F)) 
s[a/d] =5 s[Fig)/g{F{g))] . 



By applying the contraposition of the axiom of choice on 3a\/d, this is equiv- 
alent to 



We can swap quantifiers and obtain, by the definitions of A-*-, and A 



We can now apply the contraposition of the axiom of choice on yF3g to get 
the equivalent formulation 



Since D-^-^ is equal to A-^, this is obviously true. 

Thus, we can conclude that equality is a simulation from w^-^ to w. □ 
We obtain a surprising corollary: 

Corollary 34 Any interaction system is isomorphic to an interaction where 
the sets of reactions do not depend on a particular action. (More precisely, for 
any state s, the function a i— > D{s, a) is constant.) 

PROOF. Just notice that w^-^ satisfies this property. □ 



(Vs e S) 



(VF e A^Hs)) (V/ e OaeAW D{s, a)) 
{3aeA{s)){3geD^Hs,F)) 
s[a/d\ =5 s[F{g)/g{F{g))] . 



(Vs e S) (V/ e A^(s))(VF e A^{s) D^{s, _)) 
(3geD^^(s,F)){3aeD^{s,f)) 
s[a/f{a)] =5 s[F{g)/g{F{g))] . 



{Ws e S) (V/ e A^{s)){3g e D^^{s,F)) 
{WbeD^{s,g)){3aeD^{s,f)) 
s[a/f(a)] =5 s[b/g(b)] . 
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Finally, we have 



Corollary 35 The category Int is -k- autonomous (see flMI), we can thus in- 
terpret classical linear logic. 



PROOF. Once we know that ± is dualizing, the remaining condition are 
fairly easy to check: the following diagram should be commutative 

± 

Wi — o W2 " W2 




where is the natural isomorphism from w to w . This is immediate 
since is the identity on 5* and is the "converse" operation of a rela- 
tion. (See footnote [9] on page [271) 

We can then unfold all the usual technology to give a denotational model for 
classical linear logic. 

□ 



It is interesting to highlight some aspects of this model 

• Int is a "games" model for full classical linear logic. The isomorphism be- 
tween w and vj-^-^ is given by the identity relation. 

• The constructions are quite different from usual games constructions; in 
particular, they have a strong synchronous feeling. 

• The notion of strategy is not used to define morphisms; rather, we use the 
notion of simulation. 

• The fact that w ~ seems rather accidental as it is not expected to 
hold in any generalized version of interaction systems. (See the discussion 
about containers in section [6T2|) . This fact is also highly non-constructive 
and almost counter-intuitive. 

Putting the model of the differential A-calculus with the dualizing object _L, 
it is expected that we get a model for Lionel Vaux's "differential A/x-calculus" 
(see [22]), either in Vaux's setting (typed) or in an untyped setting. 
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6 Related Notions 



6.1 Predicate Transformers 

The category Int has a very concrete feehng. In |2], we have developed a 
model for full linear logic with a different intuition: the category of predicate 
transformers with forward data-refinements: 

Definition 36 If S is a set, a predicate transformer on S is a monotonic 
(w.r.t. inclusion of subsets) function from V{S) to V{S). 

If Fi and F2 are predicate transformers respectively on Si and S2, a forward 
data-refinement from Pi to P2 is a relation r C SiX S2 s.t. {r)-Fi C F2 - (r)[^ 
(Extensional ordering.) 

Such predicate transformers with forward data-refinements form a category 
called PT. 

An interaction system can be seen as a concrete representation for a predicate 
transformer. More precisely: 

Proposition 37 The operation w ^ w° from Int to PT defined as 
sew°{x) 4^ {3a e w.a{s)){\/d e w.D{s,a)) s[a/d] e X 

can be extended to a full and faithful functor from Int to PT. 

The intuition in s G w°{x) is that the Angel has a foolproof way to reach x in 
exactly one interaction. 



PROOF. The action on morphisms is just the identity: we thus need to show 
that r is a simulation from wi to W2 iff r is a forward data-refinement from wl 
to W2. The proof is not very difficult and can be found in [lOj. □ 




The interesting point is that all the constructions presented above are the 
concrete versions of the constructions presented in [2]. For example, we have 

{Wi "^2)° = wl ^W2 
Where (r) is the direct image of r: S2 € {r){x) iff (3si) (si,S2) G ?" A si G x. 
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where ® on the left is the synchronous tensor on interaction systems and the 
tensor on the right is the tensor on predicate transformersP^ 

Another interesting example is the fact that {w^)° = (w")-*". This is interesting 
because the definition of duality in the case of predicate transformers is very 
simple, and involutivity is trivial: 



F^{x) = Fix) 
where x represents the 5'-complement of x [i.e. x = S \ x). 



Surprisingly, proposition [37| can be strengthened in an ad-hoc way to read: 

Proposition 38 The categories Int and PT are equivalent. Moreover, this 
equivalence is a "retract". 



PROOF. By "retract", we mean the following: there is a functor JF from 
PT to Int which satisfies = F and J-'{w°) ~ w. In other words, we 

obtain equal object in one direction but only isomorphic objects in the other 
direction. 

This functor JF is defined as follows: let F be a predicate transformer on S, 
define to be the interaction system on 5* with components 

J^{F).A{s) = {xCS \ se F{x)} 

r{F).D{s,x) = X 
J^{F).n{s,x,s') = s' 

Checking that this operation does define a functor is left as an exercise. 
(See [lOj.) □ 



Once more, we separate propositionsEHandlMlbecause while we expect propo- 
sition [27] to hold for different generalizations of interaction systems / predicate 
transformers (see theorem 3.4 in |3j), proposition [3H] seems very specific to this 
particular case. 



(si, S2) G Fi(^F2{r) iff (3xC5i)(3yC5'2) xxy C r A si £ Fi{x) A S2 £ ^2(2/) 
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6.2 Containers 

In [3], the authors study the notion of container, a structure bearing several 
similarities with the notion of interaction system. They work in a variant of 
Martin-Lof type theory ( PT][2^ ). a dependent predicative type theory. 

Mild knowledge about this type theory is assumed in this section. 

Simply, a container is given by the following: 

• a set A of shapes; 

• and for any a G A, a set D{a) of positions. 

A morphisms from {Ai,Di) to (^2,-02) is given by a pair (/, m) where / is a 
function f : Ai —>■ A2 and u is a family of functions indexed by Ai and we 
have Mai : -D2(/(ai)) ^ ^i(ai)- 

This is reminiscent of interaction systems in the following way: any interaction 
system on the set of states {*} (singleton set) can be seen as a container, and 
any container can be seen as an interaction system on {*}. 

The links between container morphisms and simulations is subtler: a simu- 
lation from wi to W2 (two interaction systems on {*}) is given by a rela- 
tion r C {*} X {*} ~ {*}. In Martin-Lof type theory, a subset is seen as a 
propositional function r : {*} Set, i.e. a set. The condition required to 
make this "relation" a simulation is the following: 

r ^ (Vai G Ai)(3a2 G A2) 

(Vc?2 G D2(a2))(3rfi G A(ai)) r . 

We can apply the (constructive) axiom of choice to skolemize this and we 
obtain 

r ^ (3/ : ^ A2){3u : Ua.eA, ^2(/(ai)) ^ Z^i(ai)) 
(VaiGAi)(Vrf2GD2(/(ai)))r 

which is logically equivalent to 

r (3/ : ^ A2){3u : Ua.eA, ^2(/(ai)) ^ D,{a,)) T 

where T denotes the true proposition (or the singleton set in Martin Lof type 
theory) . 
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Thus, a constructive (in the sense of Martin-Lof type theory) simulations 
between two interaction systems on {*} is given by: 

• a set r; 

• and a function r (E/ : Ai A2) IlaieAi ^2(/(ai)) Di{ai). 

Equivalently, a simulation between two interaction systems on {*} is nothing 
but a family of container morphisms between the corresponding containers! 

However, the difference is that while container morphisms are identified when 
the functions acting on actions / reactions are extensionally equal, simulations 
are identified when the relations between states are extensionally equal. In 
other words, two simulations (ri, (/i, ui)) and (r2, (/2, M2)) between interaction 
systems on {*} are equal when there are "translating functions" ri ^ rol 

If we adopt a classical point of view, then everything is rather boring: there 
is at most one non-empty simulation between two interaction systems on {*}: 
the relation {(*,*)}• The links with container morphisms is then the following: 

if there is at least one container morphisms from Wi to W2, then there will 
be exactly one non-empty simulation from W2 to W2; 

if there are no container morphism from Wi to W2, then the only simulation 
from Wi to W2 will be the empty simulation. 

This whole theory of containers can be extended to work in a large class of 
locally cartesian closed categories. (See [3].) In such a setting, one needs to 
take care of additional coherence diagrams, but the idea is similar. 

There is currently some work being done on generalizing containers to a no- 
tion of dependent containers, i.e. interaction systems. The idea, following the 
original intuition of [23J and [21] is to define a dependent container in a locally 
cartesian closed category C as: 

• an object S in C; 

• an object A in C/S; 

• an object D in C/{J:sA)\lE 

• a morphism n in C(EssA-D , S). 

The appropriate notion(s) of morphism is not entirely clear and still under 
heavy discussion... 



Note that since ri and r2 are "propositions" , we do not require that those trans- 
lating functions are inverse of each other. 

Recall that in a locally cartesian closed category, if is a slice in C/A, we 
write S^-B for the codomain of B. 
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Conclusion 



We have developed a new category where objects are games to model linear 
logic or A-calculus. What is rather new is the use of a notion of simulation 
for morphisms: the notion of strategy is not used in this model! Strategies 
do however appear implicitly in the notion of safety property which are the 
"points" of our model: a safety property is set of states for which there is an 
infinite strategy which restrict interaction to stay in the safety property. This 
strategy is only guaranteed to exists, but there is in general no way to obtain 
it. 



Some of the interesting points about this model are that is allows to model 
full linear logic (it can even be extended to second order). Moreover, and this 
is relatively new, it can interpret the untyped differential A-calculus. 



An interesting project is to see whether one can apply the technology devel- 
oped here in order to give denotational models for more interesting program- 
ming languages. PCF-like languages ought to be rather easy, but interaction 
systems (or predicate transformers) are rooted in "real" programming^ so 
that we might expect to have access to many programming features... 



A The Simply Typed Differential A-calculus 

The syntax of the simply typed differential A-calculus is given by the following 
grammar: 

t,u,ti,t2 ::= X I (ti) ^2 I Ax.t I 

I ih + ti) I Bt-u 



We define /3-reduction in the usual way: 
{Xx.t)u t[u/x] 



Predicate transformers were used to give a semantics to sequential programs by 
Dijkstra (wp or wlp calculus) and have been extended to deal with specifications 
as well (whole field of refinement calculus); interaction systems, as hinted in the 
first section seem appropriate to describe interfaces. 
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where substitution is extended in the following "obvious" way: 



x[u/x] — u 

y[u/x\ = y iiy^x 

{t)v [u/x] — {t[u/ x\)v[u/ x] 

Xx.t [u/x] — Xx.t 

\y.t[u/x] — Xy.t[u/x] iiy^x 

Q[u/x\ = 

ti^-t2[u/x] = ti[u/x] + t2[u/x] 

Y)t-v[u/x\ — Y)t[u/x\ • v[u/x\ 



Differential reduction is defined as: 

dt 

'DiXx.t) ■ u Xx . — — ■ u 

ox 



where dt/dx ■ u, the linear substitution of x by u in t is defined as: 



dx/dx • u 
dy/dx ■ u 
d{t)v/dx ■ u 
dXx.t/dx ■ u 
dXy.t/dx ■ u 
dO/dx ■ u 
d{ti + t2)/dx • u 
d{Dt ■ v)/dx • u 



— u 



a y ^ X 

{dt/dx ■ u)v + (Dt ■ [dv/dx ■ u))v 
Xx.t 

Xy.{dt/dx-u) iiy^x 


dti/dx-u + dt2/dx-u 

D{dt/dx-u)-v + Dt- {dv/dx -u) 



Terms are quotiented by the (contextual closure of the) following equations: 

• = {0)u ^ Xx.O ^ DO ■ t ^ Dt ■ 0; 

• {ti + t2) u = {ti)u + {t2)u; 

• Xx.{ti + t2) = Xx.ti + Xx.t2\ 

• D{ti+t2) ■ u = Dti- u + Dt2-u] 

• Dt ■ {ui + U2) = Dt ■ Ui + Dt-U2] 

• D{Dt ■ u) ■ V ^D{Dt ■ v) ■ u. 
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The typing rules are 



(1) if "x : r" appears in F; 

T \- X : T 



(2) 
(3) 



(5) 



T,x : T \- t : a 
r h Xx.t : a ^ T 
T \- t : T ^ a T \- u : a 

r h (t) M : r ' 

r h t : r r h M : r 



(4) and , 

^ ' rhO:r Tht + u-.T 



r \- t : T ^ a r \- u : T 

ri-Dt-u-.T 



Typed terms enjoy the Church-Rosser property and strong normahzation 
(w.r.t. /9/differential reduction). 
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